GDPR: Three key things that charities need to fix

21st August 2017

New rules designed to protect personal data, are due to come into force on the 25th May 2018, and British charities need to be prepared or they could face millions of pounds in fines.

Guest blog post by Hannah Henderson Hannah Henderson is a freelance journalist based in Winchester with clients including BBC News and ITN. She is a specialist in digital storytelling and social media.

The General Data Protection Regulation (GDPR) will apply to everyone who controls or processes the data of an individual living in the European Union. Studio Republic has been working with clients in the not-for-profit sector to address three of the key challenges raised by GDPR; consent, accountability and legacy data.


From May, it will be a legal requirement that charities are upfront about what they are doing with personal information and who it is being shared with. If this data is used for ‘promotional and fundraising activities’, then according to the Information Commissioner’s Office (ICO), it constitutes ‘direct marketing’ and falls under GDPR. The challenge for charities going forward is that people will need to give ‘explicit consent’.

How will this impact charity campaign literature and web design?

Consent must be ‘freely given, specific, informed and unambiguous’. Presently, using a hyperlink to a charity’s privacy policy is deemed sufficient to meet data protection obligations. Pre-selected tick boxes on campaign websites are often used to confirm an individual has read the privacy policy and understands what they are consenting to. Regulators say that these two approaches would not be allowed under GDPR. Websites and campaign communications will need to feature clear explanations of how each piece of data will be used. Supporters can be presented with a clear opt-in tick box to show they have been offered an informed choice.


It is easy to assume that GDPR will just impact fundraising activities, but service user’s records and volunteer’s personal data will also be covered. GDPR places new emphasis on accountability. Individuals can ask charities for documented evidence of what personal data is held, and they will no longer be charged for doing so. Not-for-profits with scant resources, who may not have standardised practice for recording and storing different types of personal data may find this particularly challenging. Charities have a duty to ensure that any personal data they do use is stored in a secure and appropriate manner. Data breaches which could compromise the rights and freedoms of individuals must be revealed to regulators within 72 hours.

What action should be taken?

Simple steps charities can take are:
  • Encrypting any portable devices such as laptops and USB sticks
  • Ensuring staff and volunteers use secure passwords to current guidance
  • Restricting access to personal data to those who need it
  • Recording personal data in a standard electronic form
  • Providing data protection training to staff and volunteers who have access to personal data

Legacy Data & Retention

Under GDPR, charities will be responsible for the personal information they gather and it’s use. Data should not be stored for ‘unnecessarily long periods of time’, and individuals have the right to have inaccurate data erased. This could be a particular problem for larger organisations with big membership lists. Supporters and volunteers who have previously provided their information to the charity may need to give their consent again, for their data to be used for marketing purposes. In 2015 the RNLI, with the best of intentions, attempted to achieve this by launching a campaign focused on asking supporters to ‘opt in’ to receiving marketing emails. In May it revealed that it was having to ‘unpick’ some of these consent systems because of GDPR. The methods charities use to seek consent from individuals in their legacy data can be problematic. For example what should not-for-profits do about donors who choose to only receive marketing material by post? The regulations say that ‘ inactivity should not constitute consent’. Unfortunately, it isn’t clear how many times charities can contact people by post to seek their consent, before they must delete the personal information. Regulators have recently punished firms who were too persistent in seeking consent. An investigation by the ICO found the airline Flybe deliberately sent more than 3.3 million emails to people who had previously told them they didn’t want to receive marketing emails. They were fined £70,000 for breaking existing legislation.

How to seek consent while retaining members?

Studio Republic has been working with clients to seek suitable consent from their legacy data. Chris Todhunter explains how seeking consent can be an opportunity for charities to clear out well meaning but unresponsive individuals from their files, allowing them to focus their appeals on engaged supporters. The incoming legislation will have a huge impact on how all organisations handle data, with charities potentially being the hardest hit as they rely heavily on direct marketing. Now is the time to act to ensure explicit consent is requested ahead of May 2018 and we are getting involved in helping our clients achieve this. We would urge any organisation to ensure they have taken all steps to get consent for the data they store and use, and crucially secure that data.